The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-53521, a critical vulnerability affecting F5 BIG-IP Access Policy Manager (APM), to its Known Exploited Vulnerabilities (KEV) catalog following reports of active attacks.
This flaw, rated CVSS v4 9.3, enables remote code execution (RCE) when a BIG-IP APM access policy is configured on a virtual server, allowing attackers to execute malicious code remotely. Initially classified as a denial-of-service (DoS) issue with a CVSS score of 8.7, F5 reclassified it as RCE after new information emerged in March 2026. The company confirmed that the vulnerability has been actively exploited in the affected BIG-IP versions, though it has not publicly identified the attackers.
Indicators of Compromise and Tactics
F5 released several indicators of compromise to help organizations detect potential breaches:
File-related signals:
- Presence of
/run/bigtlog.pipe or /run/bigstart.ltm.
- Hash or timestamp mismatches for
/usr/bin/umount and /usr/sbin/httpd.
Log-related signals:
- Entries in
/var/log/restjavad-audit.<NUMBER>.log or /var/log/auditd/audit.log.<NUMBER> showing local access to the iControl REST API.
- Logs reflecting commands executed that modify SELinux settings.
Other observed tactics:
- Alterations to system components used by the integrity checker
sys-eicheck.
- HTTP/S traffic showing HTTP 201 responses with CSS content-types, used to conceal malicious activity.
- Webshells operating in memory, sometimes without modifying expected files like
/var/sam/www/webtop/renderer/apm_css.php3.
Affected Versions and Patches
The vulnerability impacts the following BIG-IP APM versions:
- 17.5.0 – 17.5.1 (patched in 17.5.1.3)
- 17.1.0 – 17.1.2 (patched in 17.1.3)
- 16.1.0 – 16.1.6 (patched in 16.1.6.1)
- 15.1.0 – 15.1.10 (patched in 15.1.10.8)
CISA has directed Federal Civilian Executive Branch (FCEB) agencies to apply the fixes by March 30, 2026, due to the elevated risk from in-the-wild exploitation.
Expert Commentary
Benjamin Harris, CEO of watchTowr, highlighted the evolving risk: “CVE-2025-53521 started as a denial-of-service issue, which may have seemed low priority for administrators. Today, it’s a pre-auth RCE vulnerability actively exploited in the wild, now listed in CISA’s KEV—making it a critical security concern.”
Security experts stress that organizations using vulnerable BIG-IP versions should immediately implement the patches and monitor for signs of compromise, including unusual API access and system file changes, to mitigate potential damage.
